Detecting anomalous activity patterns of users within an internal enterprise network is important for detecting and mitigating attacks. Attackers usually penetrate a secured internal enterprise network wherever they can, and not necessarily where they ultimately wish to be. Hence, attacks often include lateral movement within the enterprise network, which requires investigation of the network by the attacker. This investigation may involve scanning the network structure and servers and, since the attacker is usually unaware to the permissions of the specific user, an unexpected high number of failed authentication attempts to internal servers.
Standard approaches for detecting suspicious communication patterns typically require explicit information regarding user communications obtained, for example, from packet monitoring. This data, however, may not always be available. In addition, standard anomaly detection approaches based on new device detection typically do not consider rare devices. Thus, there is often only one chance to detect the risky device activity (e.g., the first time the device is used). In addition, existing techniques fail to account for users that frequently have a need to log in to multiple new devices in the course of their routine work, such as Information Systems technicians, resulting in a high false alarm rate.
A need therefore exists for improved techniques for detecting suspicious internal activity on an enterprise network.